The Way Companies Deal With Risk Has to Completely Change

Many people think about risk management as a defensive strategy, a tool for minimizing exposure to economic crises or public-relations blowouts. But Russell Walker, a clinical associate professor of managerial economics and decision sciences at the Kellogg School of Management, argues that businesses should be thinking about risk management very differently. He has just written a book on the topic, Winning with Risk Management, published by World Scientific Press, which he kindly agreed to discuss with Kellogg Insight. Here is our conversation, lightly edited and condensed. (For a longer version of our conversation, listen to the accompanying podcast.)

Kellogg Insight: Your book argues that a company's risk management strategy can actually bring it a competitive advantage. Can you start by explaining just what you mean?

Russell Walker: The world of business has taught us that companies develop competencies and use those to create advantages. Companies might, for instance, be excellent in operations, in marketing, pricing, branding, etc. So in the same way we would ask ourselves, "how do we compare against another firm on pricing?" or "how do we compare against a firm on branding?," we could ask questions about risk management. How does the organization tie into knowledge networks, how is the organization exposed to global stresses, global shocks, shocks in supply chains, or even risk from regulation?

KI: You point out that operational risk in particular is often mismanaged—to a company's peril. What do you mean by operational risk, and why is it important to manage it well?

Russell Walker: Operational risks are the negative outcomes associated with executing a strategy. It's often the case that we remember the very catastrophic, image-driven, external events: explosions, hazards, tornados, what have you. But many organizations fail not because of outside stresses, but because of challenges internally. There may be technological challenges. And there may be organizational issues dealing with information that might suggest that risks are different. Operational risk mostly is the implicit risk that an organization has accepted by setting a strategy.

KI: So let's move to a couple concrete examples. Your book takes us through the way two different cell phone companies, Nokia and Ericsson, both responded to the same crisis, a fire in a supplier's factory that delayed production of a critical component. But the two companies' responses to this crisis were night and day. What happened?

Russell Walker: Great question. The case is a famous one because it highlights how two companies were exposed to essentially the same risk. Both companies were using a single supplier—Philips in this case—which made a memory chip that was unique in the cell phone industry. Both Nokia and Ericsson found themselves dependent on this single supplier. When Philips was unable to produce chips because of a fire event at its factory, Nokia and Ericsson took drastically different approaches.

Ericsson was laissez-faire: "we'll wait for more information on our supplier." Nokia more proactively sought out information. And as you might guess, that more proactive approach by Nokia allowed them to secure the international supply of this memory chip, preventing Ericsson from acquiring any supply. Nokia was able to provide its competitor Ericsson a deathblow, and in doing so gained market share. They picked up 3% of the world's market share and paid Ericsson nothing for that. The case has changed how technology companies in particular view their global supply chain and assess the risk of their suppliers.

KI: How so?

Russell Walker: We have found that many of the components used in technological devices like iPhones or iPads now accept one of many different components in the marketplace. Whereas in the case of Nokia and Ericsson, the phones were designed around one particular memory chip—only one, made by one supplier—now many of the devices have built in an engineering flexibility that allows them to receive one of many different components. We've also seen that Apple has changed its relationship with suppliers. It has a nearly exclusive relationship with Foxconn and develops very deep relationships with its partners. This case shows that both Ericsson and Nokia lacked that kind of deep relationship with a supplier.

KI: Would you say that there are any other ways that technology has shaped the risk landscape?

Russell Walker: Many ways. T.J. Maxx is a large retailer here in the U.S., and they're not a company that you would expect to necessarily be competitive in the world of data security. But because they elected not to take particular actions to upgrade the security on their credit card transaction systems, they became the victim of a very sophisticated and targeted fraud scheme in which individuals stole credit card information from the satellite transfers from T.J. Maxx stores to their headquarters.

T.J. Maxx is a retailer. They compete on selling brands and clothes and all the things that we wish to wear, not on credit card security and in the technology necessary for that. But now even companies that run small e-commerce webpages are exposed. The case highlights—and it was the largest example of credit card fraud to date in the U.S.—the need for companies to stay abreast of technological risk.

KI: Time and again your book frames risk as this opportunity. I know you've touched on it briefly before. But why do you think that the more positive aspects of risk are ignored?

Russell Walker: They're largely ignored because risk has been presented as a downside, not necessarily as an upside. What is fascinating about risk and understanding your competitive position against risk is that if your competitor is to falter—if you could assist your competitor in some demise—their assets (be they market share, factories, brands, etc.) get transferred. And in the context of risk, if we look at the examples of Nokia and Ericsson, and even Toyota and British Patroleum, we see that assets get transferred for nothing. What's really exciting about competing on risk is that you could "buy" your competitor's assets for free. That largely will define the winners and the losers in a marketplace.

KI: You said something really interesting in your book about CEO tenure, and how that might actually influence how companies think about risk. Do you mind sharing?

Russell Walker: Exact numbers are in the book, but I believe a typical CEO tenure is 4-7 years. But it's not uncommon for it to even be less. This suggests that a CEO, given his or her reward package, may take risks or make investments that maximize short-term results, and potentially expose the firm to larger risks later down the road. We could look at family businesses as a comparison, where a family business has the goal of preserving the company over a very long period of time, in fact even transferring it to the next generation. And we find that they take different risks, risks more in the direction of, "how do I preserve this and grow this in a sustainable way?" versus "how do I grow revenue rapidly, quickly?"

KI: So it might not be a bad thing for us all to start thinking about public corporations more as family corporations.

Russell Walker: Well, in the sense that you own it and it's yours, you think about it very differently. In fact it has been suggested that CEOs should be compensated entirely by stock, entirely by ownership.